You can use a Secure Socket Layer (SSL) enabled proxy server in front of the AS Java to handle client requests to it. You can then perform client certificate verification on the proxy server. Consequently, the proxy attaches the public key of the client certificate to the request and forwards it to the AS Java. The latter accepts the request and logs the client without additional verification.
The default communication protocol that the proxy uses to forward the client request to the AS Java is SSL. In this case, the AS Java verifies the certificate of the proxy server (used for establishing the SSL connection) against a trusted proxy certificate. If the proxy server certificate matches a predefined one, then ICM accepts any client certificate that the proxy forwards with the request. If no match is found, the corresponding headers of the requests that concern the certificates are ignored.
If the proxy server forwards the client certificates to the AS Java via HTTP, they are ignored by default.
To specify how the ICM handles client requests over SSL, you have to configure a set of ICM properties.
More information: SSL Parameters for ICM and Web Dispatcher